Description
1. Summary
If I use Bandit with the INI configuration, Bandit prints to console messages with the prefix [main] INFO
even if user use the --silent
command-line argument.
It looks like a bug and can cause problems when developing tools related to Bandit.
2. MCVE
2.1. Reproducibility
I reproduced the problem on Ubuntu and Windows.
2.2. Files
kira_valid_file.py
:
print("Kira Goddess!")
bandit.yaml
:
exclude_dirs:
- .venv
skips:
- B404
.bandit
:
[bandit]
exclude = ./.venv
skips: B404
2.3. Behavior
2.3.1. Expected — legacy YAML configuration
bandit --configfile bandit.yaml --silent kira_valid_file.py
No output.
2.3.2. Non-desired — INI configuration
bandit --ini .bandit --silent kira_valid_file.py
[main] INFO Using ini file for skipped tests
[main] INFO Using command line arg for selected targets
Bandit always prints to console 2 extra lines. I can’t find how I can suppress them.
3. Justification of the need of the feature
3.1. Non-documented behavior
The documentation of the --silent
command-line argument:
-q, --quiet, --silent
only show output in the case of an error
I haven’t errors, so Bandit shouldn’t print any messages.
3.2. SublimeLinter plugin doesn’t work
I created this bug report because it looks like these extra lines cause problems when developing tools related to Bandit.
I created the simple Bandit plugin for SublimeLinter.
from SublimeLinter.lint import PythonLinter, util
class Bandit(PythonLinter):
cmd = ("bandit", "${args}", "--silent", "${file}")
defaults = {
"selector": "source.python"
}
error_stream = util.STREAM_BOTH
multiline = True
regex = (
r"^>>\s+Issue:\s+\[(?P<code>[B]\d+):.*?\]\s+(?P<message>.*)$\r?\n"
r".*?Severity:\s+(?:(?P<error>High)|(?P<warning>Medium|Low)).*\r?\n"
r"(.*\r?\n)*?"
r"^.*?Location:\s+.*?:(?P<line>\d+)(?::\d+)?\s*$\r?\n"
)
If ${args}
are --configfile bandit.yaml
, this plugin shows errors inside Sublime Text IDE.
Else ${args}
are --ini .bandit
, the plugin doesn’t work, I get the warning in the Sublime Text console:
SublimeLinter: #3457 linter.py:823 WARNING: bandit output:
[main] INFO Using ini file for skipped tests
[main] INFO Using command line arg for selected targets
SublimeLinter.plugin.bandit [WARNING]: bandit output:
[main] INFO Using ini file for skipped tests
[main] INFO Using command line arg for selected targets
SublimeLinter: #3457 linter.py:824 Note: above warning will become an error in the future. Implement `on_stderr` if you think this is wrong.
SublimeLinter.plugin.bandit [INFO]: Note: above warning will become an error in the future. Implement `on_stderr` if you think this is wrong.
command: sublime_linter_failed {"filename": "D:\\SashaDemoRepositories\\SashaTravis\\kira_valid_file.py", "linter_name": "bandit"}
SublimeLinter: #3457 linter.py:1243 bandit: no output
SublimeLinter.plugin.bandit [INFO]: bandit: no output
Perhaps it’s possible to create a working SublimeLinter plugin for the Bandit INI configuration, but this is fraught with additional difficulties.
4. Environment
-
Operating system:
- Local — Microsoft Windows [Version 10.0.22621.3085]
- Travis CI — Ubuntu 24.04.2 LTS Noble Numbat
- AppVeyor CI — Microsoft Windows [Version 10.0.17763.6189]
-
Bandit 1.8.3:
- Local — python version = 3.13.2 (tags/v3.13.2:4f8bb39, Feb 4 2025, 15:23:48) [MSC v.1942 64 bit (AMD64)]
- Travis CI — python version = 3.13.1 (main, Feb 24 2025, 13:35:32) [GCC 13.3.0]
- AppVeyor CI — python version = 3.12.8 (tags/v3.12.8:2dc476b, Dec 3 2024, 19:07:15) [MSC v.1942 32 bit (Intel)]
Thanks.